China Issues Its First Network Security Law

The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) has introduced China’s first and comprehensive Network Security Law (also referred to as Cybersecurity Law). The law will have far-reaching implications for parties that utilize the internet and handle network data and personal information in the PRC.

What this means for China’s internet users

Both individuals and entities which access internet in the PRC will be subject to enhanced security requirements and new regulation relating to the use and transfer of personal data. Network operators, equipment suppliers, security solution providers and other market participants will need to comply with the sweeping new security requirements and national standards, which will come into effect on June 1, 2017. Key requirements of the new law are set out below:

The new law applies to all “operators” (i.e., owners, administrators and service providers) of networks in China. While it appears that the Network Security Law would primarily govern activities occurring on networks that are physically within the territory of the PRC, Article 5 authorizes PRC authorities to monitor and take preventive/defensive actions to defend against certain network activities that occur outside of the PRC, but create negative consequences in the PRC (such as security risks and threats, internet crimes and telecommunication fraud).

More onerous rules have been introduced for Critical Information Infrastructure (CII) and Operators of CII (CIIOs). Tightening security requirements of such infrastructure is regarded as critical for the PRC’s national security or public interests.

Personal information and critical data of CIIOs must be stored in China. Under the new requirements, cross-border transmission of personal data will need to be supported by business necessity, and will require a security assessment by government authorities. To comply with new data storage and transmission requirements under the Network Security Law, domestic and multinational corporations that qualify as CIIOs will need to reevaluate their internal processes regarding collecting, storing, processing and transmitting user information, and adjust accordingly.

The new law introduces a class-based network security protection system, which applies to all network operators in the PRC. While the details of the class-based network security protection system require further definition, the Network Security Law sets out general compliance requirements to ensure security of network operations, including: the establishment of internal network security systems, implementation of measures to monitor and record security incidents; identity verification; information management of prohibited content; enhanced cooperation with government authorities; and compliance with mandatory national standards.

Unique and interesting breach notification requirements have been introduced. In addition to notification of incidents, internet product and service providers must not install or distribute malicious programs under the new law. In the event products or services have been discovered to contain security defects, or that data leakages or other security risks have occurred, providers must promptly inform their users and take remedial action. At present, the new law does not specify a required notifications timeframe, nor does language clarify responsibility in cases where third parties or other unsanctioned actors install malicious products or services.

Identity verification is now a requirement for certain network services, however the new law has not elaborated on how a user’s identity will be verified. Network operators must require verification of a user’s real name and identity upon execution of a service agreement or upon confirmation by network operators to provide users with network access, domain name registration, local/mobile phone networking access, instant messaging and information publication services. In practice, identity verification is increasingly commonplace in the PRC.

As present, the new law does not fully clarify the processes now required for cross-border data transfer security assessment, network product security reviews or degree of cooperation government authorities will require. Consequently, the new Network Security Law could present significant compliance challenges to market participants both in China, and those international entities accessing internet in the PRC. Yet, the law could also bring new investment opportunities for corporations such as network security certification services, and development and application of network security technologies and convenient digital ID technology. As the deadline for compliance fast approaches, organizations will need to follow further legislative developments closely to ensure full compliance by 1 June 2017.

The purpose of this communication is to foster an
open dialogue and not to establish firm policies or
best practices. Needless to say, this is not a substitute
for legal advice or reading the rules and regulations
we have summarized. In any particular case, you should
consult with lawyers at the firm with the most experience
on the topic. Depending on your specific situation,
answers other than those outlined in this blog may be
appropriate. Your use of this blog site alone creates
no attorney client relationship between you and Latham & Watkins LLP.
Do not include confidential information in comments or other
feedback or messages left on the Latham.London Blog, as these
are neither confidential nor secure methods of communicating
with attorneys.

Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in France, Italy, Singapore, and the United Kingdom and as an affiliated partnership conducting the practices in Hong Kong and Japan. Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office. Latham & Watkins works in cooperation with the Law Office of Salman M. Al-Sudairi in the Kingdom of Saudi Arabia.